[codex] Fix CLI OAuth login polling

[brandonkachen]

Summary

Fixes CLI GitHub OAuth login polling for Codebuff and Freebuff when deterministic hardware fingerprints are reused across login attempts.

Root Cause

The newer stable CLI fingerprint means repeated login attempts can share the same fingerprint_id, while each generated login URL has a fresh auth hash because expiresAt changes. The old polling flow effectively treated fingerprint state as the login-attempt binding, which could leave stale hashes or return the wrong active session on shared devices or concurrent login attempts.

Changes

• Adds nullable session.cli_auth_hash so each CLI session is bound to the specific login auth hash that created it.
• Adds a partial unique index on (fingerprint_id, cli_auth_hash) for non-null auth hashes, making each CLI auth code single-use across accounts.
• Updates Codebuff and Freebuff login polling to authenticate by fingerprint_id, cli_auth_hash, type = 'cli', and active expiry.
• Stops mutating fingerprint.sig_hash during CLI login; fingerprint now identifies the device, while session.cli_auth_hash identifies the login attempt.
• Updates replay and conflict checks to query CLI sessions directly.
• Extracts testable status handlers for both Codebuff and Freebuff.
• Preserves auth_code when Codebuff /onboard redirects an unauthenticated browser session back to /login.
• Tightens expiresAt validation for status polling and numeric onboard expiry checks.
• Adds focused tests for current-hash login success, wrong-hash failure, linked-web-session rejection, malformed expiry rejection, and onboard auth-code helpers.

Validation

• bun run typecheck in packages/internal
• bun run typecheck in web
• bun run typecheck in freebuff/web
• bun test web/src/app/api/auth/cli/status/__tests__/status.test.ts web/src/app/onboard/__tests__/helpers.test.ts
• git diff --check